Define Forensics Collection Preferences

To help you better understand and derive implications about the true nature of a security event when it occurs on an endpoint, you can configure forensics collection options. At the time of a security event, Traps can report the files that were accessed, modules that were loaded into memory, URIs that were accessed, and ancestor processes of the process that triggered the security event.
  1. Configure a new forensics rule.
    Select
    Policies
    Forensics
    Management
    and then click
    Add
    .
  2. Define forensics collection preferences.
    Select
    Forensics Collection
    and then configure preferences in the following fields:
    • Report Accessed Files
      —Select
      Enabled
      to collect information about files that are loaded in memory under the attacked process for in-depth event inspection.
    • Report Loaded Modules
      —Select
      Enabled
      to report which PE image files are loaded on the system at the time of a security event.
    • Report Accessed URI
      —Select
      Enabled
      to collect network resources that were accessed at the time of the security event and uniform resource identifier (URI) information from web plug-ins, media players, and mail clients.
    • Report Ancestor Processes
      —Some applications can run Java applets as a process child, and even as a process child of a process child and so on. Select
      Enabled
      to record information about the ancestry processes from browsers, non-browsers, and Java applet child processes to allow you to better understand the root of an event.
    Alternatively, for each data type, you can
    Disable
    forensics collection or
    Inherit
    the settings from the preceding rule in the rule hierarchy.
  3. (
    Optional
    ) Add Conditions to the rule. By default, a new rule does not contain any conditions.
    To specify a condition, select the
    Conditions
    tab, select the condition in the Conditions list, and then
    Add
    it to the Selected Conditions list. Repeat this step to add more conditions, as needed. You can also define new Conditions.
  4. (
    Optional
    ) Define the Target Objects to which to apply the rule.
    To define a smaller subset of target objects, select the
    Objects
    tab, and then enter one or more
    AD Users
    ,
    AD Computers
    ,
    AD Groups
    ,
    AD Organizational Unit
    ,
    Existing Endpoints
    , or
    Existing Groups
    in the Include or Exclude areas. The Endpoint Security Manager queries Active Directory to verify the users, computers, groups, or organizational units. The ESM Console also offers autocompletion as you type for existing endpoints and existing virtual groups.
  5. (
    Optional
    ) Review the rule name and description. The ESM Console automatically generates the rule name and description based on the rule details but permits you to change these fields, if needed.
    To override the autogenerated name, select the
    Name
    tab, clear the
    Activate automatic description
    option, and then enter a rule name and description of your choice.
  6. Save the forensics rule.
    Do either of the following:
    • Save
      the rule without activating it. This option is only available for inactive, cloned, or new rules. When you are ready to activate the rule, select the rule from the
      Policies
      Forensics
      Management
      page and then click
      Activate
      .
    • Apply
      the rule to activate it immediately.
    After saving or applying a rule, you can return to the
    Management
    page at any time to
    Delete
    or
    Deactivate
    the rule.

Recommended For You